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Abstract. We give several improvements on the known hardness of the unique shortest vector problem. 

— We give a deterministic reduction from the shortest vector problem to the unique shortest vector 
problem. As a byproduct, we get deterministic NP-hardness for unique shortest vector problem in 
the too norm. 

— We give a randomized reduction from SAT to uSVPi+i/poiy(„) . This shows that uSVPi+i/poiy(„) is 
NP-hard under randomized reductions. 

— We show that if GapSVP^ G co-NP (or co-AM) then uSVP^ e co-NP (co-AM respectively). This 
simplifies previously known uSVP^i/4 G co-AM proof by Cai [10] to uSVP^^^ G co-AM, and 
additionally generalizes it to uSVP^i/4 G co-NP. 

— We give a deterministic reduction from search-uSVP^ to the decision-uSVP^/2- We also show that the 
decision-uSVP is NP-hard for randomized reductions, which does not follow from Kumar-Sivakumar 



1 Introduction 



A lattice is the set of all integer combinations of n linearly independent vectors bi, b2, . . . , b„ in E™. These 
vectors are referred to as a basis of the lattice and n is the rank of the lattice. The successive minima Ai(L) 
(where i = 1, . . . , n) for the lattice L are among the most fundamental parameters associated to a lattice. The 
Xi (L) is defined as the smallest value such that a sphere of radius Xi (L) centered around the origin contains 
at least i linearly independent lattice vectors. Lattices have been investigated by computer scientists for a few 
decades after the discovery of the LLL algorithm More recently, Ajtai [5] showed that lattice problems 
have a very desirable property for cryptography i.e., they exhibit a worst-case to average-case reduction. This 
property immediately yields one-way functions and collision resistant hash functions, based on the worst case 
hardness of lattice problems. This is in a stark contrast to the traditional number theoretic constructions 
which are based on the average-case hardness e.g., factoring, discrete logarithms. 

We now describe some of the most fundamental and widely studied lattice problems. Given a lattice 
L, the 7-approximate shortest vector problem (SVP^) is the problem of finding a non-zero lattice vector of 
length at most 7Ai(L). Let the minimum distance of a point t € R™ from a vector of the lattice L be denoted 
by d.(t,L). Given a lattice L and a point t e R™, the 7-approximate closest vector problem or CVP^, is the 
problem of finding a v G L such that ||v — t|| < 7d(t,L). 

Besides the search version just described, CVP and SVP also have a decision version. The problem GapCVP^ 
is the problem of deciding if, given (B,t,(i G K), d(t,L(B)) < d or d(t,L(B)) > -yd. Similarly, the problem 
GapSVP^ is the problem of deciding if, given (B,d G R), Ai(L(B)) < d or Ai(L(B)) > yd. 

The two problems CVP and SVP are quite well studied. We know that they can be solved exactly in 
deterministic 2*^^"^ time |27l5j . They can be approximated within a factor of 2"('°si°s") /logn^ jj^ polynomial 
time, using LLL [52] and subsequent improvements by Schnorr [SD] (for details, see the book by Micciancio 
and Goldwasser [16]). On the other hand, it is known that there exists c > 0, such that no polynomial 
time algorithm can approximate these problems within a factor of n'^/ ^°s^°s'n- ^ unless P = NP or another 
unlikely scenario is true |12|17|8j . It is also known that both these problems cannot be NP-hard for a factor 
of y^n/logn or the polynomial hierarchy will collapse. 

A variant of SVP that has been especially relevant in cryptography is the unique shortest vector problem 
(uSVP) . The problem uSVP-y is the problem of finding the shortest non-zero vector of the lattice, given the 
promise that A2(L) > 7Ai(L). The security of the first public key cryptosystem by Ajtai-Dwork 1 was based 
on the worst-case hardness of uSVPoj^nS-). In a series of papers |14I29) . the uniqueness factor was reduced to 
0(ni-5). 

In contrast to CVP and SVP, much less is known about the hardness of uSVP. The current NP-hardness 
result known for uSVP-^ is for 7 < 1-1- 2~" , which is shown by a randomized reduction from SVP [21]. In 
[23] . it was shown that there is a reduction from uSVP^ to GapSVP^ and also a reduction from GapSVP^ to 
uSVP 1 . From the first reduction, we can conclude that uSVP^ G co-NP if GapSVP G co-NP which, 

using the result of [6] implies that uSVP^ G co-NP. It is already know from Cai [10] that uSVP„i/4 G co-AM. 
A discussion of the proofs and the simplification can be found in Section 5. 

Contributions of this paper. In Section 3.1, we give a deterministic polynomial time reduction from 
SVP to uSVP achieving similar bounds as [21] for the £2 norm. This implies, unlike [21], that deterministic 
NP-hardness of SVP implies deterministic NP-hardness of uSVP. Also, this result shows that the decision 
problem duSVP is also NP-hard under randomized reductions. In Section 3.2, we show that a similar idea 
gets us NP-hardness proof for uSVP in £00 norm. In Section 4, we show that uSVPi_|_i/po/y(„') is hard by giving 
a randomized reduction of the SVP instance created by Khot [20] to uSVPi_,_i/po;j,(„). In Section 5, we show 
uSVP^jj-jj-ji/d G co-NP for some c > 0, which implies that uSVP-y cannot be NP-hard for 7 > cn^/* unless 
NP = co-NP. In Section 6, we give a search to decision reduction for the unique shortest vector problem, 
i.e., a reduction from uSVP^ to duSVP^/2- The definition of duSVP is implicit in Cai [10 . A comparison of 
some of our results with previously known results has been depicted in Figures [T] and [2j 
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2 Preliminaries 

2.1 Notation 

A lattice basis is a set of linearly independent vectors bi, . . . , b„ G M™. It is sometimes convenient to think 
of the basis as an m x n matrix B, whose n columns are the vectors bi, . . . , b„. The lattice generated by 
the basis B will be written as L(B) and is defined as L(B) ~ {Bx|x G Z"}. A vector v G L is called a 
primitive vector of the lattice L if it is not an integer multiple of another lattice vector except ±v. We will 
assume that the lattice is over rationals, i.e., bi, . . . ,b„ G Q"\ and the entries are represented by the pair 
of numerator and denominator. 

A shortest vector of a lattice is a non-zero vector in the lattice whose £2 norm is minimal. The length 
of the shortest vector is Ai(L(B)), where Ai is as defined in the introduction. For a vector t G M™, let 
d(t,L(B)) denote the distance of t to the closest lattice point in L(B). 

For any lattice L, and any vector v G L, we denote by Lj^v the lattice obtained by projecting L to the 
space orthogonal to v. 

For an integer fc G Z+ we use [k] to denote the set {!,..., k}. 

2.2 Lattice Problems 

In this paper we are concerned with the shortest vector problem and the unique shortest vector problem. 
The search and decision versions of the shortest vector problem are defined below. 

GapSVP^: Given a lattice basis B and an integer d, say "YES" if Ai(L(B)) < d and "NO" if Ai(L(B)) > 7^. 
SVP-y: Given a lattice basis B, find a non-zero vector v G L(B) such that ||v|| < 7Ai(L(B)). 

We now formally define the search and decision unique shortest vector problem. The definition of the decision 
version of uSVP is implicit in Cai [10 , although, to our knowledge, it has not been explicitly defined anywhere 
in the literature. 

uSVP.^: Given a lattice basis B such that A2(L(B)) > 7Ai(L(B)), find a vector v G L(B) such that ||v|| = 
Ai(L(B)). 

duSVP^: Given a lattice basis B and an integer d, such that A2(L(B)) > 7Ai(L(B)), say "YES" if Ai(L(B)) < 
d and "NO" if Ai(L(B)) > d. 

2.3 Defining co-AM and co-NP 

The definitions of this section have been adapted from |13) . 

Definition 1. A promise problem U = (iTyESi ^no) is said to be in co-NP if there exists a polynomial-time 
recognizable (witness) verification predicate V such that 

— For every x G U^q, there exists w G {0, 1}* such that V{x,w) = 1. 

— For every x G IIyes and every w G {0, 1}*, V{x, w) = 0. 
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Definition 2. A promise problem 77 — (TTyeSi^no) is said to be in co-AM if there exists a polynomial- 
time recognizable verification predicate V and polynomials p, q such that for every x e iTvES U TIno with 
|x| = n, and y chosen uniformly at random from {0, 



If X e TTno, then there exists w e {0, such that Pr y, w) = 1) > 
If X e TTyes, then for ah w G {0, PT{V{x,y,w) = 1) < i 



3 A deterministic polynomial time reduction from SVP to uSVP 

Let us suppose that B = [bi b2 ... b„] is the input lattice. The Gram Schmidt orthogonalization of B, 
denoted as {bi, . . . , b„}, is defined as 



(b.,b,-) 



bi = bi — fijjhj, where 



Definition 3. A basis B = {bi, . . . , b„} is a S-LLL reduced basis if the following holds: 

- V 1 < j < i < n, l^ijl < i, 

- V 1 < i < n, <5||b,||^ < ||//,+i,,b, + h,+if. 

We choose S — j and then, from the above definition, for a (5-LLL reduced basis, V 1 < i < n, ||bi|| < 
-\/2||bi_f,i||. This implies that 

llbill < 2('-i)/2||b,|| . 

Since there is an efficient algorithm [22] to compute an LLL-reduced basis, we assume, unless otherwise 
stated, that the given basis is always LLL-reduced and hence satisfies the above mentioned properties. 

Lemma 1. For an LLL reduced basis B, ifu = aihi is a shortest vector, then \ai\ < 2'^"/^ for all i G [n]. 

i 

Proof. We show by induction that for < « < rt — 1, |Q!„_i| < 2"/^+*. Since u is the shortest vector of IL(B), 
||u|| < ||bi||. Also, since the projection of u in the direction of b„ is Q;„b„, 

llbill > ||u|| > |a„|||b„|| 

>2-("-i)/2|a„|||bi|l . 

This implies that |q;„| < 2("-i)/^ 

Now assume that < 2"/^+' for < z < fc. Then, using the fact that ||u|| < ||bi|| and that the 

( " V 

projection of u in the direction of b„_fe is a„_fe + ( ^ ) b„_fc, we get that 

n 

Ibill > Hull > I I a„_fe + ( ^ 

j—n—k-\-l 

> 2-("-'=-i)/^| j a„_fe + ( ^ ^^,,n-ka,) ] lllbill . 

\ j—n—k-\-l 
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Therefore, 



j—n—k-\-l 
k-1 



fc-1 



n/2+j 



□ 



3.1 Deterministic reduction from SVP to uSVP 

Given an instance of SVP(B, d), we define a new lattice L(B ) as follows. 



1 

2 



b2 





22„ 



V 



22" 
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So, (b;)^ = [bf 







^ ''^^^■i ... 0], where the (m + i)'th entry is non-zero. For a vector 
V = Qfibi e L(B), we call v' = aih[ as the corresponding vector. 

Lemma 2. For </ie new basts B , A?(L(B)) < A?(L(B')) < A?(L(B)) + 2-"/^. 

Proof. The first inequality follows from the fact that the length of the vectors can't get shorter in L(B ). 

n 

For the second inequality, let v be a shortest vector in L — L(B) such that v — a^b^. Then from Lemma 

i 

m < 23"/2, and hence 

\\Y,a,h:r<\l{h) + J2al, 



24n2 



■)3n 



< A?(L) , - , , , , , 

< A?(L) +2-"/2 . 



□ 



Lemma 3. Let Vi,V2 € L(B) 6e iwo distinct vectors such that ||vi|| = |lv2|l = Ai(L(B)) and let Vj^,V2 G 
L(B ) be the corresponding vectors. Then, ||lvj^|p — IIV2IPI > 2" 



Proof. Let vi = cxihi and V2 — Pii^i- Let j G [n] be the largest number such that aj 7^ /3j. Then, 



w'2r\-\Y.^o4~pj)C—^f\ 



22r. 

94(j-l)n 94(i-l)n 

1=1 



> 



04(i-l)n J 1 o4(i-l)n 

z=l 

24(j-l)n 24(j-l)n _ 1 

_ 23n 



> 



24n^ 24" (^2^" — 1) 

1 



24r; 



□ 



Lemma 4. Let v, vi, V2 be vectors in an integer lattice L — L(B). 

^//||vi||>||v2||,t/ie7l||vij|2-||v2||2>l. 

— //||v|| > Ai(L), then if w £ L(B ) is the corresponding vector, then ||v p > A^(B) + 1. 

Proof. The first item follows from the fact that for integer lattices the i\ norm of a vector is also an integer. 
The second item follows from the fact that v is not the shortest vector in L(B) and ||v |p > ||v||^. □ 

Without loss of generality, we can assume L(B) to be an integer lattice, and hence, using the above 
lemma, we get the following result. 



Theorem 1. Given a lattice L = L(B), there is a deterministic polynomial reduction transforming it to 
another lattice L' = L(B ) such that j 
NF-hard under randomized reductions. 



another lattice L' = L(B ) such that j^^itj > y^l + ' ^i,J^2(i^-^ /^'^ some c < 1/4. In particular, duSVP is 



Proof. From Lemma [3] and Lemma [H we have that A2(L') — (L') > 2 , which implies t^tttt > 



-I- 24..^Af(L') • ^^'^^ Lemma m Ai(L') < Ai(L) + and hence is at least 1 + 24,.^Af(L) ' 

some constant c < i. □ 

We would like to point out that we assumed in Lemma H] that the lattice L is an integer lattice. Hence, 

Ai(L) can be 0(2™ • input size) and hence, ^''IH^;^ can be arbitrarily close to 1. The original Kumar- 

Sivakumar [21] proof also suffers with the same problem. The idea there is to show that the number of 
lattice points in a ball centered at the origin and of radius \/2Ai(L) is at most 2". Then one can create a 
new lattice L with a unique short vector v with Ai(L) < ||v|| < \/2Ai(L). In the worst case, the ratio of 
A2 (L ) and A^ (L ) for the new lattice (assuming that the original lattice was integer lattice) can be as small 

as 2x\V)-i ' which is (1 + 2x^(1.) ) ■ ^i(L) is 0(2™ • input size), we get (1 + 1/exp) hardness of uSVP in 
both cases. 



3.2 Deterministic hardness of uSVP in i^o norm 

In this section, we show that the uSVP problem is NP-hard in the ioo norm. For simplicity of description, 
we assume that all norms in this section are £00 norms. Also, as before, the lattice L is an integer lattice. 

For the LLL reduced basis {bi, . . . ,b„}, there is a constant c such that ||bi|| < 2'^'^*^^^||b,;||, for all i G [n]. 
An induction proof as in Lemma [1] gives the following corollary. 
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Corollary 1. // the basis B is LLL reduced then for the shortest vector u — aihi, one has that for all i, 
\ai\ < 2('^+-'-)", for some constant c. 

We use the following theorem by P. van Emde Boas [7]. 
Theorem 2. The problem SVP in £oo norm is NP-hard. 

Now we prove the main result of this section. 
Theorem 3. The problem uSVP in £oo norm is NP-hard. 

Proof. We take the instance resulting from Theorem[2]and make the shortest vector unique. Let 77 — (c+ l)n, 

then for all i £ [n], \ai\ < 2^. Given the basis {bi, . . . , b„}, we perturb the basis slightly in the following way. 

22(1-1)77 / 
The basis vector hi gets ^^^-j — added to each of its entries. For the new lattice L , we have the following 

easy to prove observations. The theorem follows from them. 

— If V = J2i Q^jbi e L is a shortest vector then the vector v — J2i ca^i G L . Also, 

" 22(*-i)») 

Ai(L')< ||v|| <Ai(L)+^a.^5^=Ai(L) + 2i-''. 

i—l 

— Let Vi, V2 G L and ||vi|| > ||v2||, then ||vi|| — ||v2|| > 1, as L is an integer lattice. 

— Let V = J2ie[n] '^i^i ^ ^ ^i^d let hij be the j'th entry of b^. If v is the vector corresponding to v in L 
and ||v'|| — I J2ieln] o^jb- jl, for some j G [m], then ||v|| — \ J2ie[n] ^i'^ijl the same j . This follows 
from the fact that the X!iG[n] '^i^ij ^^^r all j is an integer, and hence will either be equal to ||v|| or will 
be at most ||v|| — 1. 

— Let vi, V2 e L such that ||vi|| = ||v2|| = Ai(L) then |||vi|| - ||v2||| > | ~ /^») ^^^L,^''" I- Similarly, as 
in Lemma 131 we get that |||v]^|| — ||v2||| > 2~^''^. 

□ 



4 Hardness of uSVP within 1 + 

The following is a result obtained by letting rj = p = 2, and fe = 1 in Theorem 3.1 and Theorem 5.1 of 

m- 

Lemma 5. For some fixed constants ci, C2, there exists a polynomial time reduction from a SAT instance of 
size n to an SVP instance (B, d) where B is a 2^^^ x N integer matrix with N < n'^^ , and d < n'^^ such that: 

1. If the SAT instance is a YES instance, then with probability at least 9/10, there exists a non-zero x G , 
such that ||x|| < d^ and |lBx|| < \J\d. 

2. If the SAT instance is a NO instance, then with probability at least 9/10, for any non-zero x G Z^, 
||Bx|| > Vd. 

We state below lemma 4 from [21]. 

Lemma 6. Let T 7^ be a finite set of size at most 2™, and let T = Tq D Ti D ■ ■ ■ D T2m be a sequence of 
subsets of T defined by a probabilistic process that satisfies the following three properties: 

1. For all < k < 2m, and all x E T, Pr(.T G Tk+i\x G T^) ~ j- 

2. For all x (ET, <k < i < 2m, Pr{x G Ti+i\x eTi,xe Tt) = Pr(a; G Ti+i\x G Tt). 

3. For all k^ < k < 2m, and all a;, y G Tk, x =/= y, the events "a; G T/j+i" and "y G T^+i" are independent. 

Then, with probability | — 2^™, one of the Tk 's has exactly one element. 
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The following result is a simpler version of Corollary 3 from . 

Lemma 7. Given any arbitrary lattice L of rank n, the number of lattice points in L of length Ai(L) is at 
most 2"+i . 

Proof. Let B = (bi, . . . , b„) be the basis of L. We claim that for any two vectors u 7^ ±v e L of length 

n n 

Ai(L), where u — a^b^ and v — ^^/J^bi, there exists an i such that ai ^ Pi (mod 2). Note that this 

1=1 1=1 
claim implies the desired result. 

n n 

Assume, on the contrary, that there exist a u = a^b^ and v = /3ihi such that ||u|| = ||v|| ~ Ai(L) 

i=l i=l 

and ai = /3i (mod 2) for all i. This implies that ^ij^ G L and ^^-^ e L. Also, 

l|U + v , iiH^ip ^ ||u||^ + ||vf + 2(u,v) ||u|p + ||v||^~2(u,v) 
" 2 " " 2 " 4 4 

Since, u 7^ ±v, this implies that < ||^^-^|| < Ai(L) and < < Ai(L), which is a contradiction. □ 

We now prove the main result of this section. 

Theorem 4. For some fixed constants ci, C2, c, there exists a polynomial time reduction from a SAT instance 
of size n to a sequence of lattice basis B^, 1 < i < 2N + 2, and d, where B^ 's are 2N x N integer matrices 
with N < n'^^ , and d < n'^^ such that: 

1. If the SAT instance is a YES instance, then with probability at least 1/2, there exists an i such that 

L(Bi) has a 1 + -unique shortest vector of length at most '\J^d- 

2. If the SAT instance is a NO instance, then with probability at least 9/10, for all i, the shortest vector of 
L(Bi) is of length at least \fd. 

Proof. Given a SAT instance, consider the pair (B, d) using the reduction from Lemma [5] 

We generate, as in ^21], a sequence of lattices L(Bo), L(Bi), . . . , L(B2Ar+2) inductively as follows. Suppose 

we have generated L(B) = L(Bo),L(Bi), . . . ,L(Bfe) for some < k < 2N + 2. We now show how to generate 

Bfe+i. Let Bfc = (bi, . . . , hpf). Pick a subset W C [N] uniformly at random from all subsets of [A^]. If W is 

empty, then let B^+i ~ Bfc. Otherwise, pick any i from W. For j ^ W, let b^ = hj, and for j ^ W \ {i}, let 

b; = hj - hi. Finally, let h[ = 2hi and Bfe+i = (K, b^, . . . , b^). 

Note that each of the B^'s are 2A^ x N integer matrices. Also, since L(Bi) C L(B) for all < i < 2A^ + 2, 

therefore, if the SAT instance is a NO instance, then, by Lemma[5l with probability 9/10, the shortest vector 

of L(Bi) is of length at least Vd for all i. 

Now, consider the case when the SAT instance is a YES instance. In this case, by Lemma \5\ with 

probability 9/10, we have 1 < Ai(L(B)) < since, B is an integer matrix. The set T is a subset of L(B) 

defined as follows: 

r-{veL(B) I ||v|| = Ai(L(B))} . 

Furthermore, we define the sets for 1 < i < 2Ar + 2 as = T n h{Bi). By LemmaH \T\ < 2^+^. The 
sets Ti, for 1 < z < 2A^ + 2 satisfy the conditions of Lemma |6] for m = N + 1. Thus, by Lemma [H with 
probability | - 2~^~\ there exists aO<fc<2A^ + 2 such that IT^I = 1. Note that Bi is an integer matrix 
for all i. Thus, since |T n L(Bfe)| = 1, we see that 

A2(L(Bfe)) > Ai(L(Bfc)) + 1 > Ai(L(Bfc))(l - 

Thus, there exists a constant c (which can be computed in terms of ci and C2) such that with probability 
• (| — 2"-'^"^) > i, there exists a k such that L(Bi;) has a (1 + -|^)-unique shortest vector of length at 

most \/ld. This concludes the proof. □ 
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5 From GapSVP G co-NP (co-AM) to duSVP G co-NP (co-AM) 



We now simplify and generalize the uSVP„i/4 £ co-AM proof by Cai [lOj. We first give a simplified description 
of Cai's proof that uses the idea of the co-AM proof of [T3]. Here, one needs to give a co-AM proof that 
given a lattice L with n^/'*-unique shortest vector and an integer d, Ai(L) > d. The protocol is as follows. The 
verifier generates uniform random points Pi € h for i € {0, 1, . . . , log2(mini ||bi||)}. For each i the verifier 

generates a random point Zi G B{pi, 2^~^t^ ^Jn — i). The verifier then sends these points to the prover. 

The prover then provides the claimed shortest vector v (primitive vector) and for the correct range when 
T't < ||v|| < 2*+^t, the correct point (mod v) which is in L. If Ai(L) > d then the prover can send the 
correct shortest vector v and for the corresponding i the balls corresponding to different choices of p € L are 
disjoint or identical depending on whether the respective centers are congruent modulo the shortest vector 
V. So, the prover has no trouble in providing the proof when Ai(L) > d. If on the other hand Ai(L) < d and 
||?;|| > d, it must be a multiple of the shortest vector or much longer than Ai(L). In this case, the balls have 
lot of overlap and the prover will be caught with high probability. 

We show that the above idea can be generalized for any co-NP or co-AM proof, i.e., we show that for 
any factor 7, if GapSVP^ e co-NP then duSVP^^ is in co-NP (and similarly for co-AM). This implies, using 
the result of Aharonov and Regev [6] that GapSVP ^ G co-NP, that duSVP 1 G co-NP, and any subsequent 
improvements in the factor for GapSVP will imply an improvement for duSVP. 

Lemma 8. Let h be a lattice such that A2(L) > 7Ai(L), and let w be a primitive vector in L. Then: 

^ If ||v|| ^ Ai(L), then Ai(Liv) < 

- //||v|| = Ai(L), then Ai(Liv) > [^Jl^ - l) ||v||. 

Proof. If ||v|| ^ Ai(L) and v is primitive, then ||v|| > A2(L) > 7Ai(L). Let u be the shortest vector in L. 
Then the projection of u in the space orthogonal to v (say u' G Lj^v) is of length at most ||u|| = Ai(L). 
Also, u is not parallel to v, and hence, u' 7^ 0. This implies 

Ai(Liv) < Ai(L) < M . 

7 

If ||v|| ~ Ai(L), then let u' be the shortest vector in Lj^v Let u' be the projection of u G L orthogonal 
to V. Then u = u' + av for some a G M. Since u— [a]v G L is not an integer multiple of v, ||u— [a]v|| > 
A2(L) >7||v||. Thus, 

7||v|l < llu' + (a - L«l)v|l < yi|u'|P + i||v||2 , 
because u' is orthogonal to v. This implies that 

Ai(L^v) = |lu'|l> l|v|l. 

□ 



Theorem 5. // GapSVP^^^;^^^ G co-NP, then duSVP-, G co-NP. 

Proof. Let (B,d) be an instance of duSVP-^. Assume a witness for recognizing Ai(L(B)) > d to be a vector 
V and a string w. The verification predicate V on input (B, d, v, w) outputs 1 if and only if v is a primitive 
vector of L = L(B), ||v|| > d, and the verification predicate V for proving GapSVP^, G co-NP, (where 

7' — 71/7^ — -j) on input (B', ^^,u') outputs 1, where B' is a basis for Lj^v- 
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CASE 1: (B,d) is a "NO" instance, i.e. Ai(L) > d. 

In this case, let v be the shortest vector in L, and w is the witness output in the proof of GapSVP^, e 

co-NP for input (B', M). 

Since Ai(L) > d, v is a primitive vector of L with length greater than d. Also, from LemmalU Ai(L_lv) > 

(y7^)l|v||=7'^. _ 
Thus, the verification predicate V outputs 1. 
CASE 2: (B,d) is a "YES" instance, i.e. Ai(L) < d. 

In this case, let us assume that there exists a witness v, w such that V outputs 1. 

Thus, V is a primitive vector with ||v|| > d. This implies that ||v|| ^ Ai(L), and using Lemma [8j 
Ai(Lj^v) < Therefore, V' , and hence V, output 0, which is a contradiction. 

□ 

This result, along with the result of [6] implies the following; 
Corollary 2. There exists c> such that duSVP^„i/4 G NPn co-NP. 

Note that essentially the same idea as in Theorem [5] can be used to show that 
Theorem 6. // GapSVP^^/^^^^r e co-AM, then duSVP^ G co-AM. 

Thus, using the result of [13], this implies the following: 
Corollary 3. There exists c> such that duSVPc(-^^)i/4 G NPn co-AM. 



6 A deterministic reduction from uSVP-y to duSVP-y/2 

The following lemma is taken from the uSVP to GapSVP reduction given in [23] . 

Lemma 9. Let L = Lq be a lattice of rank n > 2 given by its basis vectors, and let u be the shortest non-zero 
vector o/L. If there exists an efficient algorithm that computes a basis for a sub-lattice ofhi such that 

Li+i 7^ Li and u G L^+i for all i > 0, then there exists an efficient algorithm that computes a basis for a 
sublattice hofL,of rank n — 1 such that u G L. 

Proof. Let B be the given basis for L, let S be a basis for the sublattice Li for some t > n{n + log2 n), and 
let D be the dual basis of S. Since L^+i is a sub-lattice of L^ for all i, we have that det(S) > 2*det(B), 
which implies det(D) < 1/ (2*det(B)). By Minkowski's bound [l6], we have Ai(L(D)) < 7ndet(D)i/", ^^^ich 
implies that using the LLL algorithm [22], we can find a vector v G L(D) such that 

on /TT 

||v|| < 2"Ai(L(B)) < — ^--TT- ■ 

II II - n \ n - 2t/«det(B)i/« 

Also, using Minkowski's bound, we have ||u|| < V^det(B)i/". r^j^jg implies that 

|(u,v)| < ||u||||v|| < n-2"-*/" < 1 . 

But u G L(D) and v G L(S), and thus |(u, v)| is an integer, which implies (u,v) = 0, i.e., u is perpen- 
dicular to V. Thus, by taking the projection of L perpendicular to v, we get a lattice L in rank n — 1 such 
that u G L. □ 

Lemma 10. Let 7 > 2 and h be a lattice such that A2(L) > 7Ai(L). Then, given any sublattice L' o/L 
containing the shortest non-zero vector u o/L and an oracle that solves duSVP^/2j there exists an algorithm 
that computes a sublattice L"(7^ L') o/L' such that u G L". 
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Proof. Using the duSVP^/2 oracle, we can estimate ||u|| within a factor of 2 using binary search. Thus, let d 
be such that d/2 < ||u|| < d. 

Let B = (bi, b2, . . . , b„) be a basis for L' and let u = aibi + • • • + a„b„ be the shortest vector of L for 
some ai G Z. Note that since L' is a sub-lattice of L, A2(L') > A2(L). 

Consider three basis as follows: 

Bi = (2bi,b2,b3,...,b„) , 

B2 = (bi,2b2,b3,...,b„) , 

B3 (bi +b2,2b2,b3,...,b„) . 

It is easy to see that 2u belongs to each of L(Bi), L(B2), and L(B3). Also, since these are sub-lattices 
of L(B), A2(L(B,)) > A2(L(B)). This implies that A2(L(B,)) > f Ai(L(Bi)) for i e {1,2,3}. Thus, using the 
duSVP^/2 oracle, we can check whether Ai(L(Bi)) < d, or Ai((L(Bi)) > d, and hence whether u € L(Bj) or 
not. 

It is sufficient to prove that u € L(Bi) for some i G {1, 2, 3}. If ai is even, then u e L(Bi), and if a2 is 
even, then u € L(B2). If cti and a2 are both odd, then u = ai{hi -f b2) -f "^-ai (2b2) -l-asbs -|-a„b„ € 
L(B3). □ 

Thus, given a uSVP^ instance L(B) of rank n, using Lemma [TOl we can obtain a sequence of sub-lattices 
(where each lattice is a strict sub-lattice of the previous one) such that each of these contains the shortest 
vector of L(B). Then, using LemmalHl we obtain a basis of a sublattice of L(B) of rank n — 1, still containing 
the shortest vector of L(B). Repeating this procedure, we obtain a basis of a sublattice of L(B) of rank 1 
containing the shortest vector of L(B), which will be the vector u. We thus obtain the following result. 

Theorem 7. For any 7 > 2, there exists an algorithm that solves uSVP-y given a duSVP^/2 oracle. 

7 Discussion and open problems 

Many interesting problems related to uSVP remain. The gap between the uniqueness factor (1 + ^^), for 

which we know that the uSVP is hard, and (j^^)^^^, for which we know that the problem is in co-AM is 
still large. It will be interesting to try to show hardness of uSVP for some constant factor. 

The decision version of uSVP was not known to be NP-hard, as it does not follow from Kumar-Sivakumar's 
work j21j . Our deterministic reduction from SVP succeeds in showing the NP-hardness of the decision version 
but this hardness cannot be concluded even for a factor of (1 + ^^) hardness, which remains an open problem. 
The search to decision equivalence of duSVP and uSVP upto a factor of 2, shows that the complexity of the 
two problems is not too far apart. It is interesting to try to improve the factor of 2, but this might require 
substantially new ideas. It is a major open question whether such a search to decision reduction is possible 
in the case of approximation versions of the shortest vector problem and the closest vector problem. 
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